Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/3/2021
06:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

More Details Emerge on the Microsoft Exchange Server Attacks

The attacks seem more widespread than initially reported, researchers say, and a look at why the Microsoft Exchange Server zero-days patched this week are so dangerous.

Security researchers believe attacks exploiting four critical Microsoft Exchange Server vulnerabilities extend beyond the "limited and targeted" incidents reported by Microsoft this week when it issued patches for the zero-day flaws and urged enterprises to patch immediately.

Related Content:

Microsoft Fixes Exchange Server Zero-Days Exploited in Active Attacks

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Organizations first learned of the Exchange server zero-days on Tuesday when Microsoft released the fixes. It attributes the activity to a group called Hafnium "with high confidence." Hafnium is believed to operate out of China and primarily targets organizations based in the United States, Microsoft reports.

As more security researchers track the activity, new details emerge about these active exploits, how they were found, and factors that drove the release of yesterday's out-of-band patches. 

These attacks appear to have started as early as Jan. 6, 2021, report Volexity researchers who detected anomalous activity from two customers' Microsoft Exchange servers that month. 

Volexity noticed a large amount of data sent to IP addresses it believed was not tied to actual users. Closer inspection revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access. They suspected the servers might be backdoored and began an investigation, which led to uncovering the zero-day exploit.

"We did a lot of analysis on the system initially to make sure it wasn't a backdoor," says Volexity founder and president Steven Adair. By early February, the team had determined what was going on and recreated the exploit themselves. Over the course of incident response efforts, researchers found the attacker had chained a server-side request forgery (SSRF) vulnerability with another that enables remote code execution (RCE) on the targeted Exchange servers. 

Volexity reported their findings to Microsoft and began to work with them. But things escalated in late February, when researchers noticed multiple instances of RCE. The attackers were using an exploit that would allow them to write Web shells to disk. In all cases of RCE, Volexity saw the attacker writing Web shells to disk and conducting operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems.

"We saw that happen very noisily in many different places over the weekend," says Adair, noting this pushed up the timeline of deploying a patch for the vulnerability. "We didn't see a lot of RCE until just recently, and they went pretty wild." 

Up until this point, most of what the researchers saw was "low and slow" activity. Much of this involved subtle email theft; what seemed to be legitimate espionage operations, Adair says. Attackers targeted the emails of very specific people, though it's unclear what they were after. There's nothing about the activity that would have trigged an endpoint security tool, he adds.

It's unclear what caused the attackers to become more aggressive and change their tactics at this time. Microsoft has linked the activity to a single group; however, Adair isn't convinced this isn't the work of multiple threat actors. "It's clearly multiple people with different strategies operating," he says. 

John Hammond, senior security researcher at Huntress Labs, has also noticed the noisy activity. The Huntress team has seen the attackers use Windows command-line tools, add and/or delete admins from the "Exchange Organization administrators" group, and capture credentials or hashes stored within process memory.

"This attack has been a series of exploiting recent CVEs and using loud, overt tradecraft, which is surprising," he says. "But considering they have sprayed this all over the Internet, they clearly don't care about being stealthy."

Who Is Vulnerable? Who Is Under Attack?

While Microsoft describes this activity as "limited and targeted," Hammond reports indicators that this is now evolving into a larger-scale "spray and pray" campaign. Attackers seem to be scanning the Web to find vulnerable endpoints, he says. 

Huntress researchers have checked more than 2,000 Exchange servers and found roughly 400 vulnerable; another 100 are "potentially vulnerable," he says.

They report nearly 200 organizations have been compromised and more than 350 Web shells. He notes some victims may have more than one Web shell, indicating automated deployment or uncoordinated actors.

Affected companies include small hotels, kitchen appliance manufacturer, ice cream company, senior citizen communities, and other mid-market businesses, Huntress Labs researchers write in a Reddit thread. Their data shows attackers targeted city and county governments, healthcare providers, banks and financial institutions, and residential electricity providers.

Meanwhile, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive calling for civilian federal agencies with on-premises Microsoft Exchange Servers to either update their software with newly released Microsoft patches or take the products offline until they can patch them.

Why Exchange Server Is A Hot Target

The vulnerabilities patched this week should be a priority. Every organization has to have email, and Microsoft Exchange is broadly used. These servers are typically publicly accessible on the open Web, Hammond says, and they can be exploited remotely. Once they gain a foothold, the attackers can expand their access to cause more damage throughout the target environment. 

"They're really critical components to an organization," Adair says of Exchange servers. An email server has to sit on the Internet, he says, which increases the risk of an attacker finding and targeting it. 

Even organizations with nothing else exposed to the Internet will still have an email server online - unless of course they use a cloud-based email service. For many, Exchange server is essential. It always has to be on, and it could give a successful attacker access to user passwords, domain accounts, and administrator accounts. A compromise, even if it only allowed an attacker to read email, could be "devastatingly bad." 

"Any vector is appealing to an attacker, but the Exchange server is a particularly critical one, and for some organizations may be the only avenue," Adair adds. 

How to know if you've been compromised? Unfamiliar activity in Web server logs connecting to the attackers' implanted Web shells should raise a red flag, says Hammond. A change in user permissions or administrative users may also raise suspicion and prompt a closer look. 

"The most effective means to track down this activity is by externally validating the vulnerability, looking for these indicators of compromise, and monitoring network activity on your servers," he adds. Hammond advises organizations to not only patch immediately, but to actively hunt for the presence of these webshells and other indicators of compromise.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32710
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions o...